Internet Domain Registry

  • Subscribe to our RSS feed.
  • Twitter
  • StumbleUpon
  • Reddit
  • Facebook
  • Digg

Saturday, 23 January 2010

AOL Update spreads Zeus / Zbot

Posted on 18:42 by Unknown
The UAB Spam Data Mine has been receiving emails like these all weekend . . .

Dear AOL Instant Messenger (AIM) user,

Your AIM account is flagged as inactive. Within the following 72 hours it’ll be deleted from the system.

If you plan to use this account in the future, you have to download and launch the latest update for the AIM. This update is critical.

In order to install the update use the following link. This link is generated exclusively for your account and is available within a certain period of time. As soon as this link is not available anymore you will get another letter.

Thank you,

AIM Service Team

This e-mail has been sent from an e-mail address that is not monitored. Please do not reply to this message. We are unable to respond to any replies.


The email subjects today are primarily three:

AOL Instant Messenger critical update
Your AOL Instant Messenger account is flagged as inactive
Your AOL Instant Messenger account will be deleted



The download link points to a file called:

aimupdate_7.1.6.475

File size: 130048 bytes
MD5 : 506b74fab91958e0a9714c4ef5a9f24d
SHA1 : bdb3ecffb2245a6a3f4bda3880aa562a13bff421

VirusTotal of course informs us that this is a Zeus / Zbot infector:

(See VirusTotal Report)

Before you even download the "executable", there is drive-by malware that hits the visitor.

== 109.95.114.251/usr5432/in.php is called as a result of an iframe on the page.

This leads to the download and loading of:

== 109.95.114.251/usr5432/xd/pdf.pdf
and then
== /usr5432/xd/sNode.php
and /usr5432/xd/swfobject.js

and then nekovo.ru/kissme/rec.php
which downloads nekovo.ru/abs.exe

abs.exe is only detectable by 5 of 41 anti-virus products according to VirusTotal, most of them detecting them as "Hiloti":

VirusTotal Report on Hiloti - abs.exe




Websites that have been used in this campaign, all using the path "products/aimController.php", include:


machine
--------------------------------
update.aol.com.favucca.co.im
update.aol.com.favuccaco.im
update.aol.com.favucca.com.im
update.aol.com.favuccacom.im
update.aol.com.favuccaim
update.aol.com.favucca.im
update.aol.com.favucca.net.im
update.aol.com.favuccanet.im
update.aol.com.favucca.org.im
update.aol.com.favuccaorg.im
update.aol.com.hasdxzzw.co.im
update.aol.com.hasdxzzw.com.im
update.aol.com.hasdxzzw.im
update.aol.com.hasdxzzw.net.im
update.aol.com.hasdxzzw.org.im
update.aol.com.oifeazx.com.pl
update.aol.com.oifeazxcom.pl
update.aol.com.oijeaxx.com.pl
update.aol.com.oijeaxxcom.pl
update.aol.com.oijeazx.com.pl
update.aol.com.oijeazxcom.pl
update.aol.com.oijhaxx.com.pl
update.aol.com.oijhaxxcom.pl
update.aol.com.oijhayx.com.pl
update.aol.com.oijhayxcom.pl
update.aol.com.oijqayx.com.pl
update.aol.com.oijqayxcom.pl
update.aol.com.oiybaqr.com.pl
update.aol.com.oiybaqrcom.pl
update.aol.com.oiybkqr.com.pl
update.aol.com.oiybkqrcom.pl
update.aol.com.oiyqaqr.com.pl
update.aol.com.oiyqaqrcom.pl
update.aol.com.oiyqayr.com.pl
update.aol.com.oiyqayrcom.pl
update.aol.com.oiyqayx.com.pl
update.aol.com.oiyqayxcom.pl
update.aol.com.onybkqr.com.pl
update.aol.com.onybkqrcom.pl
update.aol.com.onybksm.com.pl
update.aol.com.onybksmcom.pl
update.aol.com.onybksr.com.pl
update.aol.com.onybksrcom.pl
update.aol.com.onybmsm.com.pl
update.aol.com.onybmsmcom.pl
update.aol.com.pikie.com.pl
update.aol.com.pikoe.com.pl
update.aol.com.pikqe.com.pl
update.aol.com.pikye.com.pl
update.aol.com.pioqe.com.pl
update.aol.com.pioqo.com.pl
update.aol.com.saxxxzabe
update.aol.com.saxxxzfbe
update.aol.com.saxxxznbe
update.aol.com.saxxxzn.be
update.aol.com.terfkioa.com.pl
update.aol.com.terfkioa.net.pl
update.aol.com.terfkioc.com.pl
update.aol.com.terfkioc.net.pl
update.aol.com.terfkiod.com.pl
update.aol.com.terfkiod.net.pl
update.aol.com.terfkiof.com.pl
update.aol.com.terfkiof.net.pl
update.aol.com.terfkioq.com.pl
update.aol.com.terfkioq.net.pl
update.aol.com.terfkior.com.pl
update.aol.com.terfkios.com.pl
update.aol.com.terfkios.net.pl
update.aol.com.terfkiox.com.pl
update.aol.com.terfkiox.net.pl
update.aol.com.yhff10.com.pl
update.aol.com.yhff11.com.pl
update.aol.com.yhffd0.com.pl
update.aol.com.yhffd1.com.pl
update.aol.com.yhffd2.com.pl
update.aol.com.yhffd3.com.pl
update.aol.com.yhffd4.com.pl
update.aol.com.yhffd5.com.pl
update.aol.com.yhffd6.com.pl
update.aol.com.yhffd7.com.pl
update.aol.com.yhffd8.com.pl
update.aol.com.yhffd9.com.pl
update.aol.com.yhnki6u.com.pl
update.aol.com.yhnki6ucom.pl
update.aol.com.yhnkz6u.com.pl
update.aol.com.yhnkz6ucom.pl
update.aol.com.yhuki6u.com.pl
update.aol.com.yhuki6ucom.pl
update.aol.com.yhuoi6u.com.pl
update.aol.com.yhuoi6ucom.pl
update.aol.com.yhuoo6u.com.pl
update.aol.com.yhuoo6ucom.pl
update.aol.com.yhuou6u.com.pl
update.aol.com.yhuou6ucom.pl
update.aol.com.yhusssqb.com.pl
update.aol.com.yhusssqc.com.pl
update.aol.com.yhusssqd.com.pl
update.aol.com.yhusssqf.com.pl
update.aol.com.yhusssqg.com.pl
update.aol.com.yhusssqh.com.pl
update.aol.com.yhusssqj.com.pl
update.aol.com.yhusssqn.com.pl
update.aol.com.yhusssqq.com.pl
update.aol.com.yhusssqs.com.pl
update.aol.com.yhusssqu.com.pl
update.aol.com.yhusssqv.com.pl
update.aol.com.yhusssqw.com.pl
update.aol.com.yhusssqy.com.pl
update.aol.com.yhuui6u.com.pl
update.aol.com.yhuui6ucom.pl
update.aol.com.yhuyu6u.com.pl
update.aol.com.yhuyu6ucom.pl
update.aol.com.yhuyu6y.com.pl
update.aol.com.yhuyu6ycom.pl
update.aol.com.yhyki6u.com.pl
update.aol.com.yhyki6ucom.pl
(116 rows)
Email ThisBlogThis!Share to XShare to Facebook
Posted in zbot | No comments
Newer Post Older Post Home

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Popular Posts

  • 2009 Year in Review
    As 2009 comes to a close I wanted to take a minute to thank all of the people who have been helpful to this blog this year, and to share bac...
  • What about the Social Security Numbers? (The Utah Data Breach and your SSN)
    The Utah Data Breach This week the continuing saga of the Utah Medicaid Data Breach continued to unfold. If you haven't been following...
  • Top Brands Imitated by Malicious Spam
    WebSense recently released an InfoGraphic titled "Top Five Subject Lines in Phishing Emails." for January 1, 2013 through Septemb...
  • Carder Christopher Schroebel gets Seven Years
    21 years old and thinking about Cybercrime as a career choice?  Think again.  Seattle-based U.S. Attorney Jenny Durkan told a press conferen...
  • Stop the Rumors: Quit SMSing about WalMart Gang Initiations
    My daughter and her teenage friend were sitting on the couch watching TV today when they began getting text messages on their phone. Here...
  • New BBC spam mocks Georgia's President, Spreads New Virus
    This morning we've received more than 300 copies of a new "BBC" spam campaign which mocks Georgia's President and spreads ...
  • New Year's Waledac Card
    We haven't seen a new version of Waledac since Independence Day (July 4, 2009), but it looks like its back! I'm on vacation today, s...
  • Digital Certificates Update
    A quick update from the previous post. The Digital Certificates spam campaign against Merrill Lynch continues, but the good guys seem to be ...
  • ATM Cashers in 26 Countries steal $40M
    CBS News in New York has a video on their website this morning title Cyber-attacks behind possibly record-breaking bank heist . Former FBI ...
  • A New Year and Anti-Virus Products Are Still Losing
    One of our most popular blog posts in 2008 was back in August - Anti-Virus Products Still Fail on Fresh Viruses . I'm sad to report tha...

Categories

  • china
  • computer security careers
  • conficker
  • cyberwar
  • digital certificates
  • facebook
  • fake av
  • gumblar
  • koobface
  • law enforcement
  • malware
  • pharmaceuticals
  • phishing
  • public policy
  • spam
  • twitter
  • twitter malware
  • waledac
  • zbot

Blog Archive

  • ►  2013 (21)
    • ►  December (4)
    • ►  November (1)
    • ►  October (1)
    • ►  September (1)
    • ►  August (3)
    • ►  July (1)
    • ►  June (1)
    • ►  May (5)
    • ►  April (3)
    • ►  March (1)
  • ►  2012 (18)
    • ►  August (1)
    • ►  June (1)
    • ►  May (7)
    • ►  April (2)
    • ►  March (7)
  • ►  2011 (28)
    • ►  November (3)
    • ►  October (1)
    • ►  August (4)
    • ►  July (6)
    • ►  June (1)
    • ►  May (2)
    • ►  April (2)
    • ►  March (6)
    • ►  February (1)
    • ►  January (2)
  • ▼  2010 (80)
    • ►  December (6)
    • ►  November (10)
    • ►  October (6)
    • ►  September (12)
    • ►  August (5)
    • ►  July (4)
    • ►  June (11)
    • ►  April (7)
    • ►  March (8)
    • ►  February (4)
    • ▼  January (7)
      • Minipost: VISA Zeus
      • American Bankers Association version of Zeus Bot /...
      • AOL Update spreads Zeus / Zbot
      • Sendspace Zbot spreader a Flashback to Dec 15-20
      • USAA Bank latest Avalanche Scam
      • Minipost: #CNIRcyberwar ? ? ?
      • Iranian Cyber Army returns - target: Baidu.com
  • ►  2009 (92)
    • ►  December (12)
    • ►  November (11)
    • ►  October (16)
    • ►  September (7)
    • ►  July (5)
    • ►  June (10)
    • ►  May (2)
    • ►  April (6)
    • ►  March (7)
    • ►  February (6)
    • ►  January (10)
  • ►  2008 (101)
    • ►  December (7)
    • ►  November (17)
    • ►  October (11)
    • ►  September (10)
    • ►  August (22)
    • ►  July (12)
    • ►  June (3)
    • ►  May (7)
    • ►  April (5)
    • ►  March (2)
    • ►  February (1)
    • ►  January (4)
  • ►  2007 (31)
    • ►  December (3)
    • ►  November (9)
    • ►  October (3)
    • ►  September (2)
    • ►  August (5)
    • ►  July (5)
    • ►  January (4)
  • ►  2006 (5)
    • ►  December (2)
    • ►  October (3)
Powered by Blogger.

About Me

Unknown
View my complete profile